Fraudulent Apps back from the dead
February 23rd, 2012Fraudulent Apps described by Symantec as Android.Steek in January this year seem to have re-emerged on the Google Android Market. Google took out Android.Steek then but it seems that Android.Steek has come back.
These apps capitalize on popular app titles to spread quickly. All these apps have been made using Android App Inventor. All of them have twitter4J API Package. All these apps just request access to internet as the only permission. All these fraudulent apps share their code base with Android.Steek
When these apps are used, they will splash the screen with various advertisements. These advertisements require the user to register for various online promotions. These apps will not complete their stated function. None of these apps do or have the code to accomplish the apps stated purpose. The app seems to be associated with a numerous ad-networks.
Below is the list of offending apps along with their authors.
|
Author |
Application |
|
Asta E Services |
70s Ringtones (POPULAR!) |
80s Ringtones (POPULAR!) |
|
iPad 2 64 GB (For Android ) |
|
Xray App - Camera Based (Android) |
|
Top Songs by Year |
|
Watch TV on Mobile (No Fees) |
|
15,000 Top Quality Music and.. |
|
|
Freebies Creations |
Grocery Coupons | Deals Plus |
Cheap Flights | Cheap Tickets |
Typically the app will ask the user to tap on a button to get Coupons, download ringtones etc. After multiple redirections it will show the user an advertisement asking them to sign up. At the time of writing of this blog the prevalent advertisement was that of an online game. Below are the screen shots of the app “iPad 2 64 GB”
Author: Haroon Malik
Google Android Market is infected from new Plankton (Apperhand) variant
January 25th, 2012More than a Million infected from new Plankton(Apperhand) variant on Google android market
Over the last few weeks, Appriva Threat intelligence lab has seen a new variant of Trojan.Android.Plankton emerge embedded in various apps on the Google Android Market. This variant calls ‘itself’apperhand.
At the time of writing blog, the following apps are being detected by Appriva and one other Antivirus vendor. From the Google Android market it is estimated that more than a million users could be infected.
| App | Author |
| Baloon Game | Ogre Games |
| Deal or BE Millionaire | Ogre Games |
| Counter Strike Ground Force | Iapps7 inc |
| Sexy Ladies 1 | redmicapps |
| Sexy Ladies 2 | redmicapps |
| Sexy Ladies 3 | redmicapps |
| Sexy Ladies 4 | redmicapps |
Normal">Just like the original Plankton malware this one too is included in seemingly legitimate apps by adding a background service. When the app is run it sends the users Device-ID, Manufacturer, Model, source IP, Browser User-agent and Display Matrix to a remote server using a HTTP POST message (www.xxxxxx.com/ProtocolGW/protocol/commands). It also can accept multiple commands from the remote server. We will view the different commands it can get from the server in a little while. The background service in this version is called “Android SDK Provider” (previous versions had Android MDK Provider). This version like the last version can collect User information, read and modify bookmarks, create shortcuts on device home screen and modify the Homepage.
Like the previous version it creates a shortcut on the device home screen that sends a query to http://www.s*****mobileonline.com
Fig 2: Hello Exchange between Malware and server
User Permissions
Here is some of the information the app has access to based on the permissions it requests. It goes well and beyond what is required to make a game app and advertising associated with it.
| Coarse (network-based) location Fine (GPS) location |
| Full Internet Access |
| Personal Information Read & Modify Browser's history and bookmarks |
| Automatically Start at Boot |
Table 1: Information available to malware based on permissions requested
Inside the Malware
The list of commands supported by the versions of the malware we downloaded shown the snippet below.
| BOOKMARKS | Collects Bookmark information |
| SHORTCUTS | Adds home screen shortcuts |
| HOMEPAGE | Modifies the Homepage |
| NOTIFICATIONS | Displays notification on the users phone |
| COMMANDS_STATUS | Get the status of a command |
Table 2: Some of the commands of this malware
Fig 3: Malware Commands
The HOMEPAGE command is new in this version. This version actually has fewer commands than the previous version (HISTORY & UPDATE). This is probably to lessen the likelihood of being detected. However while analyzing the code we did find out that the code infrastructure for these commands is present and these commands can be incorporated at a future point.
Fig 4: Malware collecting Device information
Author: Haroon Malik and Summaira Zafar
XML Feeds